Data Analytics SDK Tracks Users' Location by Phone, Then Sells It, Says Complaint
InMarket Media tracks consumers’ precise geolocation data through its InMarket SDK “spyware” and profits from it by selling the data to third parties, alleged a privacy complaint Friday (docket 4:24-cv-00511) in U.S. District Court for Northern California in Oakland.
Plaintiff Autry Willis, an Oakland resident, downloaded a phone app that had geolocation data tracking using InMarket’s SDK, the complaint said. At the time, Willis didn’t expect the app to transfer her geolocation data to another entity for the purpose of selling data, but it did just that, tracking her geolocation in California and selling the data for profit, it said.
Willis has not consented to have her geolocation data sold to third parties for “valuable consideration,” the complaint said. If she had been aware InMarket would collect and sell her location data to third parties, she wouldn’t have used the app, she said. She used the app most recently in December, the complaint said.
The InMarket SDK is deployed in over 300 third-party apps that have been downloaded on over 390 million devices since 2017, the complaint said. Apps that incorporate the tracking software request access to the location data generated by a mobile device’s operating system, it said. If the user allows access, the InMarket SDK receives the device’s latitude and longitude and a time stamp and mobile device identifier, if the phone’s operating system allows it; then it transmits it directly to InMarket servers, it said. Collection intervals range from “almost no collection when the phone is idle, to every few seconds” when the device is moving, it said.
Data collected by the InMarket SDK includes where users live, work, and worship and where their children go to school or obtain child care. It includes where they received medical treatment, “potentially revealing the existence of medical conditions,” and whether they went to rallies, demonstrations or protests, which could reveal their political affiliations, it said. The information is collected with several identifiers and is retained for up to five years, it said.
InMarket uses the data to sort consumers into audience segments based on their visits to “points of interest” and then targets them with advertising, the complaint said, saying it has nearly 2,000 distinct segments. That means its clients can target shoppers based on income, religion and whether they’re driven more by convenience or price sensitivity, it said.
If a user’s past location data shows she has visited a car dealership, the defendant can combine that information with her attributes purchased from other sources about income, “family structure,” education level and age, the complaint said. InMarket offers advertisers a product that uses push notifications based on a user’s location and geofencing; when the SDK transmits a location inside a “virtual face,” the app sends a push notification for an ad, it said. It could send a consumer within 600 feet of a pharmacy a push notification for toothpaste or cold medicine, it said.
Advertisers with the highest bid for a particular device will have their ads displayed; InMarket collects “some revenue” each time an advertiser uses one of its audiences “in this process,” the complaint said.
InMarket doesn’t require the third-party apps that use its SDK to obtain informed consumer consent, said the release. Its contract with app developers says the defendant will serve ads on the developer’s apps in exchange for developers passing user information to InMarket, including precise location and advertising identifiers, the complaint said. InMarket “does not disclose that information collected from these third-party users will be supplemented and cross-referenced with purchased data and analyzed to draw inferences about those users for marketing purposes,” it said.
Because InMarket “readily combined the location data of those users into its databases and systems without confirming user consent,” it was able to obtain and use the data without informed user consent, resulting in "consumer injury," the complaint said.
In addition to violation of the California Computer Data Access and Fraud Act claims, the complaint also alleges invasion of privacy, use of a pen register or trap and trace device, violations of the California Wiretapping Act and Unfair Competition law, plus unjust enrichment. Willis seeks compensatory, statutory and punitive damages, pre-judgment interest and attorneys’ fees and costs.